This is a static archive of our old Q&A Site. Please post any new questions and answers at

Capture filter based on data in packet


I need to sniff packets from a very busy proxy server (both interfaces, internal and external). What is worse, I will need to sniff for a day, maybe several days. Because of this I need a very precise filter. As a display filter it would look like this:

http contains someurl or ip.addr eq

or more slightly complex

(ip.dst eq and http contain someurl) or ip.addr eq

The problem is obviously the "http contains someurl" part. This part is vital, as it will change 50 Mbps of traffic to only, say, 20 MB per day.

Any solution will do. Tshark, dumpcap, the GUI. I was thinking of something similar to this:

Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length.

``From Jefferson Ogata via the tcpdump-workers mailing list.

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

asked 27 Mar '14, 05:09

robstar's gravatar image

accept rate: 0%

Obviously I tried changing the hex-value to what I want to search, but that doesn't work. My guess is that it's searching in a very narrow part of the packet.

But how do I make it work?

(27 Mar '14, 08:44) robstar

One Answer:


You can't do that with a 'simple' capture filter. You can try to use the capture filter generator, but the resulting filter might not work in all cases!!

Just take a look a the default sample and the generated capture filter. Duh....

Here is my suggestion: use ngrep

ngrep -d eth0 -O /var/tmp/http.pcap '/someurl' 'port 80 and (host or net'

ngrep will write all frames that meet the search criteria to /var/tmp/http.pcap. It will not write the whole tcp stream, which is obvious!

There is also a Windows version of ngrep (please google/bing it).


answered 27 Mar '14, 11:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%